Introduction

Hardware

Q. How can I determine what platforms support PPTP?

A. You can determine which Cisco IOS® Software releases support PPTP by using the Feature Navigator tool (registered customers only) . The tool allows you to compare Cisco IOS software releases, match Cisco IOS software and CatOS features to releases, and find out which software release you need to support your hardware.

Microsoft Point-to-Point Encryption (MPPE) is not supported under DUN 1.2. Install Windows 95 DUN 1.3 to connect using MPPE. You can download the Microsoft DUN 1.3 upgrade from the Microsoft web site.

Windows NT 4.0

Windows NT is fully supported for PPTP connections to the VPN Concentrator. Service Pack 3 (SP3) or later is required. If you run SP3, install the PPTP Performance and Security patches. Refer to Microsoft's web site for information about the PPTP Performance and Security Upgrade for WinNT 4.0. The only resolution for this is to reinstall the NT 4.0 Server Option Pack without adding the Service Pack afterwards.

Note: The 128-bit Service Pack 5 does not handle MPPE keys correctly, and PPTP can fail to pass data. When this occurs, the event log shows this message.

PIX versions 6.3 and later support PPTP pass through or PPTP over PAT using the PPTP fixup feature. This feature allows PPTP traffic to traverse the PIX when configured for PAT. The PIX performs stateful PPTP packet inspection in the process. Refer to the section on PPTP configuration in Configuring Application Inspection (Fixup) to configure PPTP fixup on the PIX. The fixup protocol pptp 1723 command configures PPTP fixup.

Troubleshoot

Q. What ports should I open on a firewall in order to accommodate PPTP tunnels?

Q. What does it mean when I receive the message "Error 734" and then get disconnected?

A. This error indicates that the router and the PC cannot negotiate authentication. For example, if you set the PC authentication protocols for Shiva PAP (SPAP) and Microsoft Challenge Authentication Protocol (MS-CHAP) version 2 (when the router is unable to do version 2), and you set the router for CHAP, then the debug ppp negotiation command on the router displays this output.

04:30:55: Vi1 LCP: Failed to negotiate with peer

Another example is if the router is set for vpdn group 1 ppp encrypt mppe 40 required and the PC is set for "no encryption allowed." The PC does not connect and produces an "Error 734," and the debug ppp negotiation command on the router displays this output.

Q. What does "Error 742" mean?

A. This error means that the remote computer does not support the required data encryption type. For example, if you set the PC for "encrypted only" and delete the pptp encrypt mppe auto command from the router, then the PC and the router cannot agree on encryption. The debug ppp negotiation command shows this output.

Another example involves the router MPPE RADIUS problem. If you set the router for ppp encrypt mppe auto required and the PC for "encryption allowed with authentication to a RADIUS server not returning the MPPE key," then you get an error on the PC that states, "Error 742: The remote computer does not support the required data encryption type." The router debug shows a "Call-Clear-Request" (bytes 9 and 10 = 0x000C = 12 = Call-Clear-Request per RFC) as seen here.

Q. I think I have a split tunneling issue. What should I do when a PPTP tunnel comes up on a PC, the PPTP router has a higher metric than the previous default, and I lose connectivity?

A. Run a batch file (batch.bat) to modify the Microsoft routing to resolve this problem. Delete the default and reinstall the default route (you must know the IP address that the PPTP client was assigned, such as 192.168.1.1).

Windows Remote Access Service (RAS) connections are automatically disconnected when you log off from a RAS client. You can remain connected by enabling the KeepRasConnections registry key on the RAS client.

If you are logging on to a domain from a Windows-based workstation or member server and the domain controller cannot be located, you do not receive an error message indicating this issue. Instead, you are logged on to the local computer using cached credentials.

If you experience name resolution issues on your TCP/IP network, you might need to use Lmhosts files to resolve NetBIOS names. You must follow a specific procedure to create an Lmhosts file to use in name resolution and domain validation.